b'PLANNING FOR THE LOAN MANAGEMENT\n      AND ACCOUNTING SYSTEM\n MODERNIZATION AND DEVELOPMENT\n              EFFORT\n\n                 Report No.: 8-13\n               Issued: May 14, 2008\n\n\n\n\n               Prepared by the\n         Office of Inspector General\n     U. S. Small Business Administration\n\x0c           U.S. Small Business Administration\n           Office Inspector General                               Memorandum\n    To:    Eric R. Zarnikow                                                                Date:    May 14, 2008\n           Associate Administrator for Capital Access\n\n           Christine Liu\n           Chief Information Officer\n\n           Deepak Bhargava\n           LMAS Project Manager\n           /s/ Original Signed\n  From:    Debra S. Ritt\n           Assistant Inspector General for Auditing\nSubject:   Report on Planning for the Loan Management and Accounting System Modernization\n           and Development Effort\n           Report No. 8-13\n\n           This report addresses SBA\xe2\x80\x99s Loan Management and Accounting System (LMAS)\n           modernization and development effort. The LMAS project, currently in the\n           planning phase, was initiated in November 2005 to modernize SBA\xe2\x80\x99s mainframe-\n           based Loan Accounting System (LAS) and make it independent from the\n           mainframe, which was inflexible, presented security risks, and was based on\n           obsolete technology. This report addresses progress that the Agency has made\n           since project inception, the soundness of SBA\xe2\x80\x99s project management approach,\n           and the adequacy of oversight activities that have been established to review the\n           conduct and requirements of the planning effort. It is intended to communicate\n           areas of risk that need to be addressed as the LMAS project progresses.\n\n           In September 2005 the OIG reported that, according to SBA\xe2\x80\x99s strategic systems\n           plan, the single biggest challenge facing SBA was the modernization of its loan\n           accounting process, which was still being supported by LAS as the central hub.1\n           We noted that LAS was close to the end of its expected useful life and was not\n           compliant with SBA\xe2\x80\x99s Information Technology Architecture. To address these\n           issues, we recommended that SBA immediately develop and deploy an effective\n           LAS migration or modernization plan.\n\n           1\n               SBA Needs to Implement a Viable Solution to its Loan Accounting System Migration Problem, Report Number 05-29,\n               September 30, 2005.\n\x0cWe initiated this audit of LMAS to identify technical and management issues early\nin the project\xe2\x80\x99s development life cycle. The objectives of the audit were to\nevaluate the (1) progress SBA has made since project inception, (2) soundness of\nthe project management approach, and (3) adequacy of project oversight. To\naddress our objectives, we interviewed SBA personnel, and reviewed SBA policy\ndocuments, LMAS project planning materials, contracts, and budget submissions.\n\nWe also reviewed documents provided by the LMAS Project and Steering\nOversight Council and LMAS Change Control Board. In addition, we assessed\nSBA\xe2\x80\x99s compliance with Federal laws and regulations regarding the development\nand protection of Federal information systems and data. We further reviewed\ndocuments that identified current risks and vulnerabilities related to the LAS\nsystem. Our audit was conducted between March 2007 and January 2008 in\naccordance with Government Auditing Standards prescribed by the Comptroller\nGeneral of the United States.\n\nBACKGROUND\nThe LMAS project is one in a series of attempts by SBA during the past several\nyears to update existing financial software application modules that currently\ncomprise LAS and to migrate them off of the mainframe environment. [ FOIA Ex.\n2\n\n      ]. LAS has been in place for over 30 years, is inflexible, and provides an\nend-user interface that is both difficult to navigate and comprehend.\n\nAs required by the Federal Information Security Management Act (FISMA) and\nthe Federal Information Processing Standard (FIPS) 199, Standards for Security\nCategorization of Federal Information and Information Systems, [FOIA Ex. 2\n\n\n       ].\n\nTo identify the best solution for addressing the limitations of LAS and the security\nrisks of operating in a mainframe environment, in December 2004 the Office of\nthe Chief Information Officer (OCIO) prepared a Migration Mainframe Business\nCase Analysis, outlining several alternatives. Based on this analysis, the OCIO\nrecommended migrating LAS off the mainframe without adding any new user\nrequirements or functionality. This alternative was determined to present the\nlowest risk and to be the most cost effective solution as it did not constitute a re-\ndesign or new systems development effort. The OCIO\xe2\x80\x99s analysis indicated that\nthis alternative would allow SBA to replace LAS in a more strategic manner\n\n\n\n                                          2\n\x0cwithout the time constraint imposed by the impending expiration of the mainframe\ncontract. The initial goals of the proposed migration plan were to:\n\n            \xe2\x80\xa2 Reduce the extremely high cost of the current mainframe hardware;\n\n            \xe2\x80\xa2 Have a solution in place prior to the expiration of the mainframe\n              contract in February 2007 to avoid the need to re-compete the contract;\n              and\n\n            \xe2\x80\xa2 Address the security issues associated with the current mainframe-based\n              entry screens.\n\nBy migrating LAS off of the mainframe, the Acting Chief Information Officer\n(CIO) in 2005 estimated that SBA could potentially save $16.4 million during the\nfirst 5 years of operation outside of the mainframe. The CIO proposed to initiate\nthe project in January 2005, with the migration of LAS to a new operating\nplatform and termination of the mainframe contract in February 2007. However,\nthe OCIO\xe2\x80\x99s proposal to initiate this project was not approved by SBA\xe2\x80\x99s Business\nTechnology Investment Council.\n\nIn September 2005 the OIG reported that even though LAS presented a substantial\nrisk to the Agency, SBA had not yet adopted and implemented a definitive\nmigration strategy or replacement approach for LAS.2 We recommended that the\nAgency adopt a plan to expedite the migration of LAS off the mainframe and to\nmake it the highest priority of SBA.\n\nFollowing the OIG report in November 2005, SBA announced that it was\ninitiating the LMAS project. At that time, SBA stated its intent to implement a\nsingle integrated loan and financial management system that not only included\nmigration to a new operating platform, but also included the modernization of all\nthe loan system components\xe2\x80\x94from the core loan functions to the 19 subsystems\nassociated with loan processing and servicing operations. A November 14, 2005,\nproject initiation memorandum stated that, given the budget environment, the\nAgency\xe2\x80\x99s intent was to develop the project incrementally. It also stated that the\nproject was expected to take several years or more and would have significant\nbudget requirements. In February 2006, the Administrator again announced that\nthe Agency would incrementally transition from the legacy loan systems to a more\nmodern and cost effective LMAS.\n\nTo manage the project, SBA established an LMAS Project and Steering Council\ncomprised of senior executives that meet weekly to evaluate the project status and\n\n2\n    SBA Needs to Implement a Viable Solution to its Loan Accounting System Migration Problem, Report Number 05-29,\n    September 20, 2005.\n\n\n                                                         3\n\x0cprovide direction. The Committee members include the CIO, Deputy CIO, Chief\nFinancial Officer, the Administrator\xe2\x80\x99s Senior Advisor for Policy and Planning, and\nthe Associate Administrators for Management and Administration, Capital Access,\nand Disaster Assistance. Additionally, the Associate Administrator for Capital\nAccess was designated to be the project champion.\n\nRESULTS IN BRIEF\nDespite the urgency of addressing LAS security vulnerabilities, SBA was unable\nto replace the system prior to the expiration of the mainframe contract in February\n2007, causing the Agency to renew costly contracts for mainframe and application\nsupport services for another 5 years. These services are expected to cost\napproximately $6 million per year.\n\nCurrently, LMAS remains in the project planning phase\xe2\x80\x94the first stage of the\nsystems development effort. The project is expected to stay in this phase for\nanother year because SBA revised its acquisition strategy in October 2006, and\ndecided to adopt the Statement of Objectives (SOO) methodology in December\n2006 instead of using a requirements-based Request for Proposal (RFP). The\nSOO methodology is a seven-step approach to performance-based acquisition,\nunder which SBA will identify the contractor who can design the best system for\naccomplishing SBA\xe2\x80\x99s business objectives. SBA believes this approach will save\nthe Agency time and money and result in a better product because it is based on\nelaborate market research, due diligence, and prototyping processes in selecting\nthe integration contractor. Under revised plans, it is unclear when LAS will be\nmigrated off of the mainframe as the timing of the migration effort will be\ndetermined by the solution provider, who will not be identified until SBA awards\nthe contract in late April 2008. However, the LMAS project manager has\nindicated that once portions of LMAS are completed, they will be migrated off the\nmainframe.\n\nBecause SBA was unable to migrate LAS off the mainframe, [FOIA Ex. 2\n\n                                           ]. By delaying the migration, SBA is\nnot adhering to Federal guidance that requires timely remediation of information\nsecurity risks. [FOIA Ex. 2\n\n\n                                                                            ].\n\n\nThe audit also disclosed that SBA had not established either an enterprise-wide or\nproject-level quality assurance (QA) function to ensure that LMAS project\ndeliverables meet SBA\xe2\x80\x99s requirements and quality standards, as required by\n\n\n                                         4\n\x0cOCIO. While the LMAS Project and Steering Council has provided independent\noversight of the project, it cannot perform the wide range of quality assurance\nactivities and technical reviews required for a project that is as large and complex\nas LMAS.\n\nFinally, the project lacks an approved Quality Plan that establishes the standards\nand procedures that will be employed to ensure adherence to OCIO\xe2\x80\x99s\nrequirements, as required by Federal Acquisition Regulations (FAR). Because\nSBA did not finalize a Quality Plan in time for the project solicitation, it will need\nto ensure that such requirements are developed before a contract is awarded for\nLMAS. According to the OCIO, SBA has requested that vendors who compete\nfor the LMAS contract include in their proposals a Quality Assurance Surveillance\nPlan, and will ensure this plan is in place prior to the solution provider\xe2\x80\x99s\ncommencement of any work task.\n\nSBA will also need to establish an enterprise-wide and a project-level QA function\nfor the LMAS project. Doing so early in the project life cycle is essential to\nprovide independent assurance on project reporting and metrics, compliance with\nSBA Information Technology policy, and an independent assessment of the\nproject deliverables. Although the Agency has not effectively established a\nproject-level QA function for LMAS, OCIO is pursuing two enterprise-wide QA\nactivities. It is currently piloting an Enterprise Change Control Board, which\nwhen fully implemented, will review LMAS. Also under the new OCIO\norganizational structure, an enterprise-wide quality assurance (QA) component is\nbeing proposed.\n\nOn May 14, 2008, the Chief Information Officer provided a formal response to the\ndraft that incorporated comments from the Office of Capital Access, generally\nconcurring with recommendations 1, 2, and 3. However, management did not\nprovide time frames for implementing proposed actions to be fully responsive to\nthe recommendations. Further, we did not receive comments from the LMAS\nproject manager addressing recommendations 4 and 5. Therefore, we plan to\npursue a management decision on these two recommendations through the audit\nresolution process. The full text of management\xe2\x80\x99s comments can be found in\nAppendix II.\n\nRESULTS\nSBA Has Not Migrated LAS Off the Mainframe\n\nTo-date, SBA has expended approximately $1 million of the $1.5 million\nbudgeted for the initial development of the system to:\n\n    \xe2\x80\xa2 Update the project capital asset plans and submit them to OMB;\n\n\n                                          5\n\x0c       \xe2\x80\xa2 Engage in market research to identify the most likely commercial-off-the-\n         shelf (COTS) products that could be used replace either all or part of LAS;\n         and\n\n       \xe2\x80\xa2 Contract for project management services to assist in project support and\n         an RFP for the acquisition of a replacement system.3\n\nContrary to the OCIO\xe2\x80\x99s recommendation in the Business Case Analysis and\nconcerns raised by the OIG in May 2006, SBA did not migrate LAS off the\nmainframe platform when the mainframe contract expired in February 2007 to\nreduce the cost and security risks associated with the mainframe hardware.\nConsequently, in February 2007, SBA entered into new contracts for mainframe\nand applications support. These contracts will expire in January and April 2012,\nrespectively, and together, are estimated to cost approximately $30 million over\nthe 5-year life of the contracts.\n\nSBA\xe2\x80\x99s limited progress in developing LMAS is largely attributable to the\nAgency\xe2\x80\x99s decision this year to revise its acquisition strategy. According to SBA\xe2\x80\x99s\ncontract for LMAS project management services, a modernization roadmap and\nintegrator Statement of Work for the project were scheduled to be completed and\naccepted by SBA in September 2007. In October 2006, SBA revised its\nacquisition strategy from a requirements-based RFP to an SOO methodology, and\non October 5, 2007, announced that it was looking for a solution provider for the\nLMAS project. Rather than building a system based on defined system\nrequirements, the SOO approach will identify the contractor who, based on an\nunderstanding of SBA\xe2\x80\x99s business processes, can design the best system for\naccomplishing SBA\xe2\x80\x99s business objectives. SBA believes this approach will save\nthe Agency time and money and result in a better product because it is based on\nelaborate market research, due diligence, and prototyping processes in selecting\nthe integration contractor.\n\nCurrent plans call for SBA to select the best solution provider and award the\ncontract by April 22, 2008. According to an October 5, 2007, SBA press release,\nthe total cost of developing LMAS over the next 3 to 5 years and the cost of\nmaintaining and operating the system for the next 10 years could approach\n$125 million.\n\nBecause SBA revised its acquisition strategy, the Agency has essentially restarted\nthe LMAS project, placing it in the same position as it was in 2005 when LMAS\nwas first initiated. Consequently, LMAS remains in the initial activities related to\nthe project planning phase. Unless carefully managed, this strategy could increase\n3\n    On March 23, 2006, SBA hired Macro Solutions of Arlington, VA for systems development support.\n\n\n                                                         6\n\x0cproject risks as it places a high reliance on the contractor to both develop system\nrequirements and to design the solution, potentially locking the Agency into using\none service provider. It also could impact SBA\xe2\x80\x99s ability to take advantage of\nchanges in technology that occur during the project\xe2\x80\x99s life cycle. However, SBA\nhas acknowledged these risks and has indicated that it will take steps to mitigate\nthem.\n\nBy Delaying its Mainframe Migration, SBA is Not Adhering to Federal\nGuidance That Requires Timely Remediation of Information Security Risks\n\nAlthough LAS is designated a [FOIA Ex. 2       ] per FIPS 199, Standards for\nSecurity Categorization of Federal Information and Information Systems, [FOIA\nEx. 2\n\n\n\n]. According to SBA\xe2\x80\x99s November 27, 2007, Plan of Action and Milestones\n(POA&M), [FOIA Ex. 2\n\n\n\n].\n\nCurrently, SBA\xe2\x80\x99s migration plans are linked to the solution to be identified under\nthe SOO approach. Because a contract will not be awarded to a solution provider\nuntil late April 2008, it is unlikely that migration will occur before the new\ncontracts expire in 2012, and SBA will continue to incur significant mainframe\ncosts. Further, it is unclear what priority will be given to the migration effort and\nwhen in the project cycle it will occur under SBA\xe2\x80\x99s revised acquisition strategy. If\nnot addressed in the project plan, migrating LAS off the mainframe could be\npushed toward the end of the project. Additionally, because the timelines for the\nLMAS project are not sufficiently integrated with that of SBA\xe2\x80\x99s new mainframe\ncontract, LMAS development activities may not dovetail with processing\nrequirements of the mainframe contract.\n\nBy delaying the mainframe migration, SBA has not complied with Federal\nguidance that requires timely remediation of information security risks, and has\nleft the Agency vulnerable to potential system attacks by external sources. FIPS\n200, Minimum Security Requirements for Federal Information and Information\nSystems, requires that organizations employ appropriately tailored security\ncontrols. Office of Management and Budget (OMB) Circular A-130, Management\nof Federal Information Resources, also requires agency heads to, \xe2\x80\x9cProtect\ngovernment information commensurate with the risk and magnitude of harm that\ncould result from the loss, misuse, or unauthorized access to or modification of\n\n\n                                         7\n\x0csuch information.\xe2\x80\x9d As mentioned above, [FOIA Ex. 2\n                                                          ]. These vulnerabilities, if\nnot mitigated, will likely affect conclusions reached in future Federal Information\nSecurity Management Act (FISMA) reviews and financial audits of SBA.\nConsequently, we believe that SBA should take interim steps to address the\nsecurity vulnerabilities until the migration can be completed.\n\nSBA Lacks Both an Enterprise-wide and Project-level Quality Assurance\nFunction to Ensure that LMAS Adheres to Quality Standards\n\nOCIO\xe2\x80\x99s Systems Development Management policy requires that an enterprise QA\nfunction be established to provide oversight of software development projects,\nwhich is independent of all SBA projects and programs. The purpose of the\nenterprise QA function is to ensure that all IT projects undertaken by SBA adhere\nto SBA\xe2\x80\x99s quality standards and procedures throughout the software development\nand maintenance process. This function is intended to allow SBA to fulfill its\nmission under the Clinger Cohen Act to provide independent assurance that\nsoftware development, testing and configuration management efforts are aligned\nwith SBA\xe2\x80\x99s IT architecture and are compliant with SBA development standards\nand policies.\n\nIn addition, OCIO requires that a QA group be established at the project-level to\nexecute QA activities for each software project. These activities include verifying\nthat project plans, standards, and procedures are in place and can be used to review\nthe software project and to evaluate the deliverable software products against these\nstandards. The group is to be headed up by a QA manager, who is independent of\nthe project and is responsible for ensuring that adequate resources and funding are\nprovided for performing QA activities.\n\nDespite these requirements, SBA lacks both an enterprise QA function and an\nadequate project-level QA function to oversee the LMAS project. The CIO is in\nthe process of establishing an enterprise QA group and has hired a manager for the\ngroup, but has not been allocated additional positions with which to staff up the\ngroup. The project-level QA function is currently being performed by the LMAS\nProject and Steering Council, which is made up of senior executives. These\nexecutives include the CIO, Deputy CIO, Chief Financial Officer, the\nAdministrator\xe2\x80\x99s Senior Advisor for Policy and Planning, and the Associate\nAdministrators for Management and Administration, Capital Access, and Disaster\nAssistance.\n\nWhile several of the council members have the organizational freedom to be the\n\xe2\x80\x9ceyes and ears\xe2\x80\x9d of senior management on the LMAS project, with the exception of\nthe CIO, they do not possess the expertise needed to conduct technical reviews of\nthe software development activities. They also cannot devote the time that would\n\n\n                                          8\n\x0cbe required to perform all of the QA activities. For example, the individual(s)\nmanaging the QA process would be expected to participate in software design and\ncode reviews, ensure that software and test documentation is subject to\nconfiguration management, and participate in software verification and validation\nactivities. They would also be expected to continuously review project activities\nand audit software work products throughout the project\xe2\x80\x99s life cycle to provide\nmanagement the information with which to judge whether LMAS is adhering to\nestablished quality guidelines. Because council members have full time\nresponsibilities for the organizations they manage, they cannot devote the time to\nQA that is needed nor do they have the IT background needed to review project\ndeliverables for adherence to OCIO configuration management and other quality\nrequirements.\n\nAccording to the LMAS Project Manager, project-level QA will also be met\nthrough Independent Verification and Validation (IV&V), which determines\nwhether products produced at each step of the development effort fulfill\nrequirements and function as intended. However, while IV&V testing is important\nto ensure that system requirements are met, it is fundamentally different than\nsoftware quality assurance and has different reporting interfaces. IV&V is a\nsystems engineering process that is independent from the project team, which\nemphasizes the completeness and correctness of the products/deliverables; while\nsoftware QA emphasizes compliance with standards and procedures and is\nmatrixed with the project team to provide daily oversight of the project.\nTherefore, the IV&V testing will not adequately ensure that the LMAS software is\ndesigned in compliance with OCIO\xe2\x80\x99s quality standards.\n\nInadequate software quality could lead to project cost and schedule overruns, a\nsystem that does not meet SBA\xe2\x80\x99s requirements, software failures that require\ncostly repairs, limited interoperability of system components, and inflexibility of\nthe system to adapt to new customers, tasks and other hardware and software.\nGiven the size and complexity of the LMAS, and that multiple system interfaces\nare planned, SBA should consider outsourcing the project-level QA activities to\nobtain a dedicated team with the expertise needed to perform the full range of QA\nactivities, as other Federal agencies have done.\n\nFor example, the State Department recently outsourced QA on a large, complex\nnetwork modernization project entitled State Messaging and Archive Retrieval\nToolset (SMART). This QA function established quality goals, related\nperformance baselines and periodically assessed project performance results\nagainst established quality and performance baselines. As a result, SMART\nproject stakeholders had additional assurance that project activities and\ndeliverables met predetermined standards and that an effective corrective action\nprocess was deployed early in the project\xe2\x80\x99s lifecycle thereby avoiding costly\nrework.\n\n                                         9\n\x0cSBA Has Not Finalized a Quality Plan for the LMAS Project\n\nOCIO\xe2\x80\x99s Systems Development Management policy requires that a quality plan be\nestablished in the early stages of systems development projects. The quality plan\nestablishes standards and procedures that will ensure adherence to the OCIO\xe2\x80\x99s\npolicies and establish high level quality requirements, thereby facilitating the\nidentification of defects early in the project life cycle and avoiding costly rework.\nThese quality standards include documentation and deliverable acceptance\nrequirements, testing, configuration control, problem reporting and corrective\naction processes, and periodic audits. Further, the quality plan should be\ndeveloped prior to solicitation, as required by the Federal Acquisition Regulations\n(FAR). These regulations state that \xe2\x80\x9cthe contracting officer shall include in the\nsolicitation and contract the appropriate quality requirements.\xe2\x80\x9d4 FAR further\nprovides that agencies may either prepare the quality plan or require vendors to\nsubmit a plan for consideration in the development of the agency\xe2\x80\x99s plan.5 The\nFAR also states that requiring compliance with \xe2\x80\x9chigher level\xe2\x80\x9d quality standards\n(e.g., industry standards, such as ISO 9001) is appropriate in solicitations and\ncontracts for complex or critical items.6\n\nDespite these requirements, SBA released its solicitation proposal for LMAS\nwithout having an approved quality plan for LMAS. A draft plan was developed,\nbut it was never finalized or approved by the CIO. Consequently, the lack of a\nquality plan early in the LMAS planning phase limits the consideration of quality\nstandards, processes, and metrics in the initial planning iterations and project\nmanagement performance baselines. In subsequent project phases (such as\nexecution, monitoring and control) it can also significantly increase the risk of\nnoncompliance with SBA\xe2\x80\x99s enterprise quality standards; adversely affect key\ncontrol processes, such as project performance reporting, change control\nmanagement, and defect repair and prevention; and lead to costly rework.\n\nThe LMAS project manager told us that because the FAR allows agencies to\nrequire its solution provider to propose quality plans, and the provider that SBA\nselects will be responsible for preparing the LMAS Statement of Work, the\nAgency plans to have the provider propose the draft quality plan. While we agree\nwith SBA\xe2\x80\x99s interpretation of the FAR, when the solicitation is for a complex or\ncritical system, such as LMAS, FAR provides that compliance with higher level\nstandards should be required. We noted that SBA\xe2\x80\x99s solicitation did not require\ncompliance with higher level standards, such as those defined in OCIO\xe2\x80\x99s Systems\nDevelopment Management policy or industry standards.\n\n\n4\n  FAR 46.201(a).\n5\n  FAR 37.604.\n6\n  FAR 46.202-4(b).\n\n\n                                         10\n\x0cRECOMMENDATIONS\n\nWe recommend that the Associate Administrator for Capital Access:\n\n1. Make cost-effective remediation of mainframe vulnerabilities a priority and\n   ensure that migration of LAS occurs before the current mainframe contract\n   expires in 2012 to reduce SBA\xe2\x80\x99s mainframe costs and timely mitigate\n   associated security risks.\n\nWe recommend that the Chief Information Officer:\n\n2. Ensure interim remediation and prioritization of identified LAS vulnerabilities\n   are completed consistent with the guidelines established by FIPS 200 and\n   OMB A-130.\n\n3. Design and implement an Enterprise-wide QA function that fully addresses the\n   risk and scope of the LMAS project and ensures the OCIO can fulfill\n   responsibilities under the Clinger-Cohen Act to provide independent quality\n   assurance and oversight of Information Technology investments.\n\nWe recommend that the LMAS project manager:\n\n4. Consider outsourcing the project-level QA function to ensure alignment\n   between LMAS project deliverables with SBA\xe2\x80\x99s quality standards.\n\n5. Finalize and obtain OCIO approval of the Quality Plan for LMAS and\n   incorporate the plan\xe2\x80\x99s quality standards into the contract that is ultimately\n   awarded for development of LMAS.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nOn April 18, 2008, we provided SBA a draft copy of the report for comment. We\ndiscussed the findings and recommendations with the Chief Information Officer\nand LMAS project manager. On May 14, 2008, the Chief Information Officer\nprovided written comments to the draft that incorporated comments from the\nOffice of Capital Access. These comments, which address recommendations 1, 2\nand 3, are summarized below. The full text of these comments can be found in\nAppendix II. We did not; however, receive comments from the LMAS project\nmanager addressing recommendations 4 and 5.\n\nManagement generally concurred with recommendations 1, 2 and 3, but did not\nprovide time frames for implementing proposed actions. Management agreed to\n\n\n                                         11\n\x0cform a team to re-evaluate open mainframe vulnerabilities to determine alternative\ncost-effective solutions to remediate vulnerabilities and to develop a strategy for\naddressing the vulnerabilities that will consider the associated risk and cost\nimplications. Management also agreed to ensure that interim remediation and\nprioritization of LAS vulnerabilities is consistent with FIPS 200 and OMB A-130\nguidance. Finally, management stated that it is currently working on an Agency-\nwide QA oversight function, which will include developing QA standards,\nmonitoring the LMAS project plan and implementing QA activities throughout the\nLMAS project schedule. These actions will be fully responsive to\nrecommendations 1, 2 and 3 once the Agency submits time frames for\nimplementing proposed actions. We will pursue a management decision on\nrecommendations 4 and 5 through the audit resolution process.\n\nACTIONS REQUIRED\n\nBecause your proposed actions do not provide target dates to be considered fully\nresponsive to recommendations 1, 2 and 3, we request that you provide a written\nresponse by May 28, 2008, providing the time frames you propose for\nimplementing the recommendations.\n\n\n\n\n                                        12\n\x0c     APPENDIX I. SUMMARY OF LOAN ACCOUNTING\n             SYSTEM VULNERABILITIES REPORTED\n             IN SBA\xe2\x80\x99S FY 2007 PLAN OF ACTION AND\n             MILESTONES SUMMARY\n\n\n                        Number      Number       Number\n                       Identified Identified as Identified      Total Number of\n                        as High-    Medium-      as Low-        Vulnerabilities by\n LAS Subsystem*           Risk        Risk         Risk            Subsystem\n Subsystem 1           FOIA Ex. 2 FOIA Ex. 2       FOIA Ex. 2      FOIA Ex. 2\n Subsystem 2           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 3           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 4           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 5           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 6           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 7           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 8           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n Subsystem 9           FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2           FOIA Ex. 2**\n  Totals               FOIA Ex. 2 FOIA Ex. 2 FOIA Ex. 2            FOIA Ex. 2\n* For security purposes, the subsystems have not been named.\n**One vulnerability was not deferred to FY 2013.\n\nSource: SBA\xe2\x80\x99s November 27, 2007, Loan Accounting System Plan of Action and\n        Milestones\n\n\n\n\n                                           13\n\x0c'